Analysis
-
max time kernel
143s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
05-11-2024 21:04
Static task
static1
Behavioral task
behavioral1
Sample
46546b272a5c663faadbc48648919ef5e3982abf05bfb6dccbe382ad3dc60dcf.exe
Resource
win10v2004-20241007-en
General
-
Target
46546b272a5c663faadbc48648919ef5e3982abf05bfb6dccbe382ad3dc60dcf.exe
-
Size
690KB
-
MD5
6d8594cdf85f6d5007374dd8a7e259fc
-
SHA1
f6a95877a60a055b56b97a26b3d81c3640d710e6
-
SHA256
46546b272a5c663faadbc48648919ef5e3982abf05bfb6dccbe382ad3dc60dcf
-
SHA512
55aa0867902ff9f54fb64513526434f16a71f33a39389ab0f0bf5d8f495638c44f05fa6a37f8302f506de5691443579b427862161dce6ca6506b60f2e59b8bcc
-
SSDEEP
12288:qMrPy90OtKaao+rWLYKB9vfl5sMQjtCv/d88wDfPZYW0bhum+EyxJDlHVhhqgA4M:xyd7cSLPPvfbbLv/dnGmr9x+EyVhWD
Malware Config
Extracted
redline
rosn
176.113.115.145:4125
-
auth_value
050a19e1db4d0024b0f23b37dcf961f4
Signatures
-
Detects Healer an antivirus disabler dropper 17 IoCs
resource yara_rule behavioral1/memory/5116-19-0x0000000000BD0000-0x0000000000BEA000-memory.dmp healer behavioral1/memory/5116-21-0x0000000004DD0000-0x0000000004DE8000-memory.dmp healer behavioral1/memory/5116-27-0x0000000004DD0000-0x0000000004DE2000-memory.dmp healer behavioral1/memory/5116-25-0x0000000004DD0000-0x0000000004DE2000-memory.dmp healer behavioral1/memory/5116-49-0x0000000004DD0000-0x0000000004DE2000-memory.dmp healer behavioral1/memory/5116-47-0x0000000004DD0000-0x0000000004DE2000-memory.dmp healer behavioral1/memory/5116-45-0x0000000004DD0000-0x0000000004DE2000-memory.dmp healer behavioral1/memory/5116-43-0x0000000004DD0000-0x0000000004DE2000-memory.dmp healer behavioral1/memory/5116-41-0x0000000004DD0000-0x0000000004DE2000-memory.dmp healer behavioral1/memory/5116-39-0x0000000004DD0000-0x0000000004DE2000-memory.dmp healer behavioral1/memory/5116-37-0x0000000004DD0000-0x0000000004DE2000-memory.dmp healer behavioral1/memory/5116-36-0x0000000004DD0000-0x0000000004DE2000-memory.dmp healer behavioral1/memory/5116-33-0x0000000004DD0000-0x0000000004DE2000-memory.dmp healer behavioral1/memory/5116-31-0x0000000004DD0000-0x0000000004DE2000-memory.dmp healer behavioral1/memory/5116-29-0x0000000004DD0000-0x0000000004DE2000-memory.dmp healer behavioral1/memory/5116-23-0x0000000004DD0000-0x0000000004DE2000-memory.dmp healer behavioral1/memory/5116-22-0x0000000004DD0000-0x0000000004DE2000-memory.dmp healer -
Healer family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" pro8486.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" pro8486.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" pro8486.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" pro8486.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" pro8486.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection pro8486.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 20 IoCs
resource yara_rule behavioral1/memory/3860-61-0x0000000002810000-0x0000000002856000-memory.dmp family_redline behavioral1/memory/3860-62-0x0000000004E50000-0x0000000004E94000-memory.dmp family_redline behavioral1/memory/3860-64-0x0000000004E50000-0x0000000004E8F000-memory.dmp family_redline behavioral1/memory/3860-76-0x0000000004E50000-0x0000000004E8F000-memory.dmp family_redline behavioral1/memory/3860-96-0x0000000004E50000-0x0000000004E8F000-memory.dmp family_redline behavioral1/memory/3860-94-0x0000000004E50000-0x0000000004E8F000-memory.dmp family_redline behavioral1/memory/3860-92-0x0000000004E50000-0x0000000004E8F000-memory.dmp family_redline behavioral1/memory/3860-90-0x0000000004E50000-0x0000000004E8F000-memory.dmp family_redline behavioral1/memory/3860-88-0x0000000004E50000-0x0000000004E8F000-memory.dmp family_redline behavioral1/memory/3860-86-0x0000000004E50000-0x0000000004E8F000-memory.dmp family_redline behavioral1/memory/3860-84-0x0000000004E50000-0x0000000004E8F000-memory.dmp family_redline behavioral1/memory/3860-82-0x0000000004E50000-0x0000000004E8F000-memory.dmp family_redline behavioral1/memory/3860-80-0x0000000004E50000-0x0000000004E8F000-memory.dmp family_redline behavioral1/memory/3860-78-0x0000000004E50000-0x0000000004E8F000-memory.dmp family_redline behavioral1/memory/3860-74-0x0000000004E50000-0x0000000004E8F000-memory.dmp family_redline behavioral1/memory/3860-72-0x0000000004E50000-0x0000000004E8F000-memory.dmp family_redline behavioral1/memory/3860-70-0x0000000004E50000-0x0000000004E8F000-memory.dmp family_redline behavioral1/memory/3860-68-0x0000000004E50000-0x0000000004E8F000-memory.dmp family_redline behavioral1/memory/3860-66-0x0000000004E50000-0x0000000004E8F000-memory.dmp family_redline behavioral1/memory/3860-63-0x0000000004E50000-0x0000000004E8F000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
pid Process 1436 un892381.exe 5116 pro8486.exe 3860 qu8705.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features pro8486.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" pro8486.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" un892381.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 46546b272a5c663faadbc48648919ef5e3982abf05bfb6dccbe382ad3dc60dcf.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4136 5116 WerFault.exe 85 -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language qu8705.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 46546b272a5c663faadbc48648919ef5e3982abf05bfb6dccbe382ad3dc60dcf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language un892381.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pro8486.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 5116 pro8486.exe 5116 pro8486.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 5116 pro8486.exe Token: SeDebugPrivilege 3860 qu8705.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 908 wrote to memory of 1436 908 46546b272a5c663faadbc48648919ef5e3982abf05bfb6dccbe382ad3dc60dcf.exe 84 PID 908 wrote to memory of 1436 908 46546b272a5c663faadbc48648919ef5e3982abf05bfb6dccbe382ad3dc60dcf.exe 84 PID 908 wrote to memory of 1436 908 46546b272a5c663faadbc48648919ef5e3982abf05bfb6dccbe382ad3dc60dcf.exe 84 PID 1436 wrote to memory of 5116 1436 un892381.exe 85 PID 1436 wrote to memory of 5116 1436 un892381.exe 85 PID 1436 wrote to memory of 5116 1436 un892381.exe 85 PID 1436 wrote to memory of 3860 1436 un892381.exe 97 PID 1436 wrote to memory of 3860 1436 un892381.exe 97 PID 1436 wrote to memory of 3860 1436 un892381.exe 97
Processes
-
C:\Users\Admin\AppData\Local\Temp\46546b272a5c663faadbc48648919ef5e3982abf05bfb6dccbe382ad3dc60dcf.exe"C:\Users\Admin\AppData\Local\Temp\46546b272a5c663faadbc48648919ef5e3982abf05bfb6dccbe382ad3dc60dcf.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:908 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un892381.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un892381.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1436 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro8486.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro8486.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5116 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5116 -s 10804⤵
- Program crash
PID:4136
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu8705.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu8705.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3860
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 5116 -ip 51161⤵PID:2768
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
536KB
MD519b5069df9a10b72d40336fc1661ee42
SHA1e557039781ae6c2e0d58a7f5c4e8f63021ade4e3
SHA256a6bf43035b75c66f183c70d15b6f68a55da0dc467a4f2578ef6629e050cc8c62
SHA512bf16b539ae37af298ca78fad4e8b5e987d54be93bfc119f909181345e6658c8566167a1e1a942d1fec2ac911355d6fc5fa07eee77e400eaa20d103b86c7579bf
-
Filesize
314KB
MD5b5ac828d5e3b39cd8c864bfb60385e0f
SHA1c12c129a8154cf06ad49963515b3a3e06edaf6a1
SHA256c3141f3db57dba9928cad182733714132df09a1857d388ca5fa45cf09043743b
SHA51216021daf84d59e895ff41b63bdec67d13a07315b7757b55ad70f522ff73121f91b6a31487e5ba3dda21a047bfdd3f627037f1cae968e178ca64fb05af19e9c58
-
Filesize
372KB
MD52288e9300b407d799ff6ccb07e98517d
SHA11280e64115fdba8874342a52814f6b1ac0e42ff9
SHA256a0518d1fe59ae3a1aea49091344f13827c5e65d6f159e4cd96556a37152fa0eb
SHA512fc256f3fc823f55403da754cf8cc15b2c5dee42d31be514caa0313fb91bf08800909a23f7aed6a34e4e02c97b8767278a24ce7a03eb3ec9f19dea9155dfcb583